|
|
80913e |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
80913e |
From: Thomas Frauendorfer | Miray Software <tf@miray.de>
|
|
|
80913e |
Date: Thu, 4 Feb 2021 19:02:33 +0100
|
|
|
80913e |
Subject: [PATCH] kern/misc: Add function to check printf() format against
|
|
|
80913e |
expected format
|
|
|
80913e |
|
|
|
80913e |
The grub_printf_fmt_check() function parses the arguments of an untrusted
|
|
|
80913e |
printf() format and an expected printf() format and then compares the
|
|
|
80913e |
arguments counts and arguments types. The arguments count in the untrusted
|
|
|
80913e |
format string must be less or equal to the arguments count in the expected
|
|
|
80913e |
format string and both arguments types must match.
|
|
|
80913e |
|
|
|
80913e |
To do this the parse_printf_arg_fmt() helper function is extended in the
|
|
|
80913e |
following way:
|
|
|
80913e |
|
|
|
80913e |
1. Add a return value to report errors to the grub_printf_fmt_check().
|
|
|
80913e |
|
|
|
80913e |
2. Add the fmt_check argument to enable stricter format verification:
|
|
|
80913e |
- the function expects that arguments definitions are always
|
|
|
80913e |
terminated by a supported conversion specifier.
|
|
|
80913e |
- positional parameters, "$", are not allowed, as they cannot be
|
|
|
80913e |
validated correctly with the current implementation. For example
|
|
|
80913e |
"%s%1$d" would assign the first args entry twice while leaving the
|
|
|
80913e |
second one unchanged.
|
|
|
80913e |
- Return an error if preallocated space in args is too small and
|
|
|
80913e |
allocation fails for the needed size. The grub_printf_fmt_check()
|
|
|
80913e |
should verify all arguments. So, if validation is not possible for
|
|
|
80913e |
any reason it should return an error.
|
|
|
80913e |
This also adds a case entry to handle "%%", which is the escape
|
|
|
80913e |
sequence to print "%" character.
|
|
|
80913e |
|
|
|
80913e |
3. Add the max_args argument to check for the maximum allowed arguments
|
|
|
80913e |
count in a printf() string. This should be set to the arguments count
|
|
|
80913e |
of the expected format. Then the parse_printf_arg_fmt() function will
|
|
|
80913e |
return an error if the arguments count is exceeded.
|
|
|
80913e |
|
|
|
80913e |
The two additional arguments allow us to use parse_printf_arg_fmt() in
|
|
|
80913e |
printf() and grub_printf_fmt_check() calls.
|
|
|
80913e |
|
|
|
80913e |
When parse_printf_arg_fmt() is used by grub_printf_fmt_check() the
|
|
|
80913e |
function parse user provided untrusted format string too. So, in
|
|
|
80913e |
that case it is better to be too strict than too lenient.
|
|
|
80913e |
|
|
|
80913e |
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
|
|
|
80913e |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
80913e |
---
|
|
|
80913e |
grub-core/kern/misc.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++---
|
|
|
80913e |
include/grub/misc.h | 16 ++++++++++
|
|
|
80913e |
2 files changed, 94 insertions(+), 4 deletions(-)
|
|
|
80913e |
|
|
|
80913e |
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
|
|
|
b32e65 |
index 07456faa2..859d71659 100644
|
|
|
80913e |
--- a/grub-core/kern/misc.c
|
|
|
80913e |
+++ b/grub-core/kern/misc.c
|
|
|
80913e |
@@ -711,8 +711,26 @@ grub_lltoa (char *str, int c, unsigned long long n)
|
|
|
80913e |
return p;
|
|
|
80913e |
}
|
|
|
80913e |
|
|
|
80913e |
-static void
|
|
|
80913e |
-parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
|
|
|
80913e |
+/*
|
|
|
80913e |
+ * Parse printf() fmt0 string into args arguments.
|
|
|
80913e |
+ *
|
|
|
80913e |
+ * The parsed arguments are either used by a printf() function to format the fmt0
|
|
|
80913e |
+ * string or they are used to compare a format string from an untrusted source
|
|
|
80913e |
+ * against a format string with expected arguments.
|
|
|
80913e |
+ *
|
|
|
80913e |
+ * When the fmt_check is set to !0, e.g. 1, then this function is executed in
|
|
|
80913e |
+ * printf() format check mode. This enforces stricter rules for parsing the
|
|
|
80913e |
+ * fmt0 to limit exposure to possible errors in printf() handling. It also
|
|
|
80913e |
+ * disables positional parameters, "$", because some formats, e.g "%s%1$d",
|
|
|
80913e |
+ * cannot be validated with the current implementation.
|
|
|
80913e |
+ *
|
|
|
80913e |
+ * The max_args allows to set a maximum number of accepted arguments. If the fmt0
|
|
|
80913e |
+ * string defines more arguments than the max_args then the parse_printf_arg_fmt()
|
|
|
80913e |
+ * function returns an error. This is currently used for format check only.
|
|
|
80913e |
+ */
|
|
|
80913e |
+static grub_err_t
|
|
|
80913e |
+parse_printf_arg_fmt (const char *fmt0, struct printf_args *args,
|
|
|
80913e |
+ int fmt_check, grub_size_t max_args)
|
|
|
80913e |
{
|
|
|
80913e |
const char *fmt;
|
|
|
80913e |
char c;
|
|
|
80913e |
@@ -739,7 +757,12 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
|
|
|
80913e |
fmt++;
|
|
|
80913e |
|
|
|
80913e |
if (*fmt == '$')
|
|
|
80913e |
- fmt++;
|
|
|
80913e |
+ {
|
|
|
80913e |
+ if (fmt_check)
|
|
|
80913e |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
|
80913e |
+ "positional arguments are not supported");
|
|
|
80913e |
+ fmt++;
|
|
|
80913e |
+ }
|
|
|
80913e |
|
|
|
80913e |
if (*fmt =='-')
|
|
|
80913e |
fmt++;
|
|
|
80913e |
@@ -771,9 +794,19 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
|
|
|
80913e |
case 's':
|
|
|
80913e |
args->count++;
|
|
|
80913e |
break;
|
|
|
80913e |
+ case '%':
|
|
|
80913e |
+ /* "%%" is the escape sequence to output "%". */
|
|
|
80913e |
+ break;
|
|
|
80913e |
+ default:
|
|
|
80913e |
+ if (fmt_check)
|
|
|
80913e |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "unexpected format");
|
|
|
80913e |
+ break;
|
|
|
80913e |
}
|
|
|
80913e |
}
|
|
|
80913e |
|
|
|
80913e |
+ if (fmt_check && args->count > max_args)
|
|
|
80913e |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "too many arguments");
|
|
|
80913e |
+
|
|
|
80913e |
if (args->count <= ARRAY_SIZE (args->prealloc))
|
|
|
80913e |
args->ptr = args->prealloc;
|
|
|
80913e |
else
|
|
|
80913e |
@@ -781,6 +814,9 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
|
|
|
80913e |
args->ptr = grub_calloc (args->count, sizeof (args->ptr[0]));
|
|
|
80913e |
if (!args->ptr)
|
|
|
80913e |
{
|
|
|
80913e |
+ if (fmt_check)
|
|
|
80913e |
+ return grub_errno;
|
|
|
80913e |
+
|
|
|
80913e |
grub_errno = GRUB_ERR_NONE;
|
|
|
80913e |
args->ptr = args->prealloc;
|
|
|
80913e |
args->count = ARRAY_SIZE (args->prealloc);
|
|
|
80913e |
@@ -872,6 +908,8 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
|
|
|
80913e |
break;
|
|
|
80913e |
}
|
|
|
80913e |
}
|
|
|
80913e |
+
|
|
|
80913e |
+ return GRUB_ERR_NONE;
|
|
|
80913e |
}
|
|
|
80913e |
|
|
|
80913e |
static void
|
|
|
80913e |
@@ -879,7 +917,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args, va_list args_in)
|
|
|
80913e |
{
|
|
|
80913e |
grub_size_t n;
|
|
|
80913e |
|
|
|
80913e |
- parse_printf_arg_fmt (fmt0, args);
|
|
|
80913e |
+ parse_printf_arg_fmt (fmt0, args, 0, 0);
|
|
|
80913e |
|
|
|
80913e |
for (n = 0; n < args->count; n++)
|
|
|
80913e |
switch (args->ptr[n].type)
|
|
|
80913e |
@@ -1187,6 +1225,42 @@ grub_xasprintf (const char *fmt, ...)
|
|
|
80913e |
return ret;
|
|
|
80913e |
}
|
|
|
80913e |
|
|
|
80913e |
+grub_err_t
|
|
|
80913e |
+grub_printf_fmt_check (const char *fmt, const char *fmt_expected)
|
|
|
80913e |
+{
|
|
|
80913e |
+ struct printf_args args_expected, args_fmt;
|
|
|
80913e |
+ grub_err_t ret;
|
|
|
80913e |
+ grub_size_t n;
|
|
|
80913e |
+
|
|
|
80913e |
+ if (fmt == NULL || fmt_expected == NULL)
|
|
|
80913e |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid format");
|
|
|
80913e |
+
|
|
|
80913e |
+ ret = parse_printf_arg_fmt (fmt_expected, &args_expected, 1, GRUB_SIZE_MAX);
|
|
|
80913e |
+ if (ret != GRUB_ERR_NONE)
|
|
|
80913e |
+ return ret;
|
|
|
80913e |
+
|
|
|
80913e |
+ /* Limit parsing to the number of expected arguments. */
|
|
|
80913e |
+ ret = parse_printf_arg_fmt (fmt, &args_fmt, 1, args_expected.count);
|
|
|
80913e |
+ if (ret != GRUB_ERR_NONE)
|
|
|
80913e |
+ {
|
|
|
80913e |
+ free_printf_args (&args_expected);
|
|
|
80913e |
+ return ret;
|
|
|
80913e |
+ }
|
|
|
80913e |
+
|
|
|
80913e |
+ for (n = 0; n < args_fmt.count; n++)
|
|
|
80913e |
+ if (args_fmt.ptr[n].type != args_expected.ptr[n].type)
|
|
|
80913e |
+ {
|
|
|
80913e |
+ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "arguments types do not match");
|
|
|
80913e |
+ break;
|
|
|
80913e |
+ }
|
|
|
80913e |
+
|
|
|
80913e |
+ free_printf_args (&args_expected);
|
|
|
80913e |
+ free_printf_args (&args_fmt);
|
|
|
80913e |
+
|
|
|
80913e |
+ return ret;
|
|
|
80913e |
+}
|
|
|
80913e |
+
|
|
|
80913e |
+
|
|
|
80913e |
/* Abort GRUB. This function does not return. */
|
|
|
80913e |
static inline void __attribute__ ((noreturn))
|
|
|
80913e |
grub_abort (void)
|
|
|
80913e |
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
|
|
b32e65 |
index 6ca03c4d6..6be6a88f6 100644
|
|
|
80913e |
--- a/include/grub/misc.h
|
|
|
80913e |
+++ b/include/grub/misc.h
|
|
|
80913e |
@@ -488,6 +488,22 @@ grub_error_load (const struct grub_error_saved *save)
|
|
|
80913e |
grub_errno = save->grub_errno;
|
|
|
80913e |
}
|
|
|
80913e |
|
|
|
80913e |
+/*
|
|
|
80913e |
+ * grub_printf_fmt_checks() a fmt string for printf() against an expected
|
|
|
80913e |
+ * format. It is intended for cases where the fmt string could come from
|
|
|
80913e |
+ * an outside source and cannot be trusted.
|
|
|
80913e |
+ *
|
|
|
80913e |
+ * While expected fmt accepts a printf() format string it should be kept
|
|
|
80913e |
+ * as simple as possible. The printf() format strings with positional
|
|
|
80913e |
+ * parameters are NOT accepted, neither for fmt nor for fmt_expected.
|
|
|
80913e |
+ *
|
|
|
80913e |
+ * The fmt is accepted if it has equal or less arguments than fmt_expected
|
|
|
80913e |
+ * and if the type of all arguments match.
|
|
|
80913e |
+ *
|
|
|
80913e |
+ * Returns GRUB_ERR_NONE if fmt is acceptable.
|
|
|
80913e |
+ */
|
|
|
80913e |
+grub_err_t EXPORT_FUNC (grub_printf_fmt_check) (const char *fmt, const char *fmt_expected);
|
|
|
80913e |
+
|
|
|
80913e |
#if BOOT_TIME_STATS
|
|
|
80913e |
struct grub_boot_time
|
|
|
80913e |
{
|